Inheritance diagram for sspmod_saml_Auth_Source_SP:

Collaboration diagram for sspmod_saml_Auth_Source_SP:

Public Member Functions
	__construct ($info, $config)
	Constructor for SAML SP authentication source. More...

	getMetadataURL ()
	Retrieve the URL to the metadata of this SP. More...

	getEntityId ()
	Retrieve the entity id of this SP. More...

	getMetadata ()
	Retrieve the metadata of this SP. More...

	getIdPMetadata ($entityId)
	Retrieve the metadata of an IdP. More...

	sendSAML2AuthnRequest (array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
	Function to actually send the authentication request. More...

	startSSO ($idp, array $state)
	Send a SSO request to an IdP. More...

	authenticate (&$state)
	Start login. More...

	reauthenticate (array &$state)
	Re-authenticate an user. More...

	startSLO2 (&$state)
	Start a SAML 2 logout operation. More...

	logout (&$state)
	Start logout operation. More...

	handleResponse (array $state, $idp, array $attributes)
	Handle a response from a SSO operation. More...

	handleLogout ($idpEntityId)
	Handle a logout request from an IdP. More...

Public Member Functions inherited from SimpleSAML_Auth_Source
	__construct ($info, &$config)
	Constructor for an authentication source. More...

	getAuthId ()
	Retrieve the ID of this authentication source. More...

	authenticate (&$state)
	Process a request. More...

	reauthenticate (array &$state)
	Reauthenticate an user. More...

	initLogin ($return, $errorURL=null, array $params=array())
	Start authentication. More...

	logout (&$state)
	Log out from this authentication source. More...

Static Public Member Functions
static	askForIdPChange (array &$state)
	Ask the user to log out before being able to log in again with a different identity provider. More...

static	reauthLogout (array $state)
	Log the user out before logging in again. More...

static	reauthPostLogin (array $state)
	Complete login operation after re-authenticating the user on another IdP. More...

static	handleUnsolicitedAuth ($authId, array $state, $redirectTo)
	Handle an unsolicited login operations. More...

static	onProcessingCompleted (array $authProcState)
	Called when we have completed the procssing chain. More...

Static Public Member Functions inherited from SimpleSAML_Auth_Source
static	getSourcesOfType ($type)
	Get sources of a specific type. More...

static	completeAuth (&$state)
	Complete authentication. More...

static	loginCompleted ($state)
	Called when a login operation has finished. More...

static	completeLogout (&$state)
	Complete logout. More...

static	getById ($authId, $type=null)
	Retrieve authentication source. More...

static	logoutCallback ($state)
	Called when the authentication source receives an external logout request. More...

static	getSources ()
	Retrieve list of authentication sources. More...

Private Member Functions
	startSSO1 (SimpleSAML_Configuration $idpMetadata, array $state)
	Send a SAML1 SSO request to an IdP. More...

	startSSO2 (SimpleSAML_Configuration $idpMetadata, array $state)
	Send a SAML2 SSO request to an IdP. More...

	startDisco (array $state)
	Start an IdP discovery service operation. More...

Private Attributes
	$entityId

	$metadata

	$idp

	$discoURL

Additional Inherited Members
Protected Member Functions inherited from SimpleSAML_Auth_Source
	addLogoutCallback ($assoc, $state)
	Add a logout callback association. More...

	callLogoutCallback ($assoc)
	Call a logout callback based on association. More...

Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static	validateSource ($source, $id)
	Make sure that the first element of an auth source is its identifier. More...

Protected Attributes inherited from SimpleSAML_Auth_Source
	$authId

Detailed Description

Definition at line 3 of file SP.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_saml_Auth_Source_SP::__construct	(	$info,
		$config
	)

Constructor for SAML SP authentication source.

Parameters

array	$info	Information about this authentication source.
array	$config	Configuration.

Definition at line 39 of file SP.php.

    {
        assert(is_array($info));
        assert(is_array($config));
 
        // Call the parent constructor first, as required by the interface
        parent::__construct($info, $config);
 
        if (!isset($config['entityID'])) {
            $config['entityID'] = $this->getMetadataURL();
        }
 
        /* For compatibility with code that assumes that $metadata->getString('entityid')
         * gives the entity id. */
        $config['entityid'] = $config['entityID'];
 
        $this->metadata = SimpleSAML_Configuration::loadFromArray($config,
            'authsources[' . var_export($this->authId, true) . ']');
        $this->entityId = $this->metadata->getString('entityID');
        $this->idp = $this->metadata->getString('idp', null);
        $this->discoURL = $this->metadata->getString('discoURL', null);
 
        if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
            $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
        }
    }

References $config, $info, getMetadataURL(), SimpleSAML\Module\getModuleURL(), and SimpleSAML_Configuration\loadFromArray().

Here is the call graph for this function:

Member Function Documentation

◆ askForIdPChange()

static sspmod_saml_Auth_Source_SP::askForIdPChange ( array & $state )

static

Ask the user to log out before being able to log in again with a different identity provider.

Note that this method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP and an IdP at the same time.

This method will never return.

Parameters

array

$state

The state array. The following keys must be defined in the array:

'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated the user in the current session.
'saml:sp:AuthId': the identifier of the current authentication source.
'core:IdP': the identifier of the local IdP.
'SPMetadata': an array with the metadata of this local SP.

Exceptions

SimpleSAML_Error_NoPassive In case the authentication request was passive.

Definition at line 527 of file SP.php.

    {
        assert(array_key_exists('saml:sp:IdPMetadata', $state));
        assert(array_key_exists('saml:sp:AuthId', $state));
        assert(array_key_exists('core:IdP', $state));
        assert(array_key_exists('SPMetadata', $state));
 
        if (isset($state['isPassive']) && (bool)$state['isPassive']) {
            // passive request, we cannot authenticate the user
            throw new SimpleSAML\Module\saml\Error\NoPassive(
                    \SAML2\Constants::STATUS_REQUESTER,
                    'Reauthentication required'
            );
        }
 
        // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
        $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
        $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
        SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
        assert(false);
    }

References $id, $state, $url, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by reauthenticate().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ authenticate()

sspmod_saml_Auth_Source_SP::authenticate ( & $state )

Start login.

This function saves the information about the login, and redirects to the IdP.

Parameters

array &$state Information about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 386 of file SP.php.

    {
        assert(is_array($state));
 
        /* We are going to need the authId in order to retrieve this authentication source later. */
        $state['saml:sp:AuthId'] = $this->authId;
 
        $idp = $this->idp;
 
        if (isset($state['saml:idp'])) {
            $idp = (string)$state['saml:idp'];
        }
 
        if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
            // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
            $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
            $known_idps = $mdh->getList();
            $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
            if (empty($intersection)) {
                // all requested IdPs are unknown
                throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
                    \SAML2\Constants::STATUS_REQUESTER,
                    'None of the IdPs requested are supported by this proxy.'
                );
            }
 
            if (!is_null($idp) && !in_array($idp, $intersection, true)) {
                // the IdP is enforced but not in the IDPList
                throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
                    \SAML2\Constants::STATUS_REQUESTER,
                    'None of the IdPs requested are available to this proxy.'
                );
            }
 
            if (is_null($idp) && sizeof($intersection) === 1) {
                // only one IdP requested or valid
                $idp = current($state['saml:IDPList']);
            }
        }
 
        if ($idp === null) {
            $this->startDisco($state);
            assert(false);
        }
 
        $this->startSSO($idp, $state);
        assert(false);
    }

References SimpleSAML_Auth_Source\$authId, $idp, $mdh, $state, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), startDisco(), and startSSO().

Here is the call graph for this function:

◆ getEntityId()

sspmod_saml_Auth_Source_SP::getEntityId ( )

Retrieve the entity id of this SP.

Returns: string The entity id of this SP.

Definition at line 81 of file SP.php.

    {
        return $this->entityId;
    }

References $entityId.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SpIsValidAudience\validate().

Here is the caller graph for this function:

◆ getIdPMetadata()

sspmod_saml_Auth_Source_SP::getIdPMetadata ( $entityId )

Retrieve the metadata of an IdP.

Parameters

string $entityId The entity id of the IdP.

Returns: SimpleSAML_Configuration The metadata of the IdP.

Definition at line 102 of file SP.php.

    {
        assert(is_string($entityId));
 
        if ($this->idp !== null && $this->idp !== $entityId) {
            throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' .
                var_export($entityId, true) .
                ' because it isn\'t a valid IdP for this SP.');
        }
 
        $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 
        // First, look in saml20-idp-remote.
        try {
            return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
        } catch (Exception $e) {
            /* Metadata wasn't found. */
            SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
        }
 
        /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
        try {
            return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
        } catch (Exception $e) {
            /* Metadata wasn't found. */
            SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
        }
 
        /* Not found. */
        throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' .
            var_export($entityId, true));
    }

References $entityId, SimpleSAML\Logger\debug(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

Referenced by reauthenticate(), startSLO2(), and startSSO().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getMetadata()

sspmod_saml_Auth_Source_SP::getMetadata ( )

Retrieve the metadata of this SP.

Returns: SimpleSAML_Configuration The metadata of this SP.

Definition at line 91 of file SP.php.

    {
        return $this->metadata;
    }

References $metadata.

◆ getMetadataURL()

sspmod_saml_Auth_Source_SP::getMetadataURL ( )

Retrieve the URL to the metadata of this SP.

Returns: string The metadata URL.

Definition at line 71 of file SP.php.

    {
        return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
    }

References SimpleSAML\Module\getModuleURL().

Referenced by __construct().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ handleLogout()

sspmod_saml_Auth_Source_SP::handleLogout ( $idpEntityId )

Handle a logout request from an IdP.

Parameters

string $idpEntityId The entity ID of the IdP.

Definition at line 736 of file SP.php.

    {
        assert(is_string($idpEntityId));
 
        /* Call the logout callback we registered in onProcessingCompleted(). */
        $this->callLogoutCallback($idpEntityId);
    }

References $idpEntityId, and SimpleSAML_Auth_Source\callLogoutCallback().

Here is the call graph for this function:

◆ handleResponse()

sspmod_saml_Auth_Source_SP::handleResponse	(	array	$state,
			$idp,
		array	$attributes
	)

Handle a response from a SSO operation.

Parameters

array	$state	The authentication state.
string	$idp	The entity id of the IdP.
array	$attributes	The attributes.

Definition at line 693 of file SP.php.

    {
        assert(is_string($idp));
        assert(array_key_exists('LogoutState', $state));
        assert(array_key_exists('saml:logout:Type', $state['LogoutState']));
 
        $idpMetadata = $this->getIdpMetadata($idp);
 
        $spMetadataArray = $this->metadata->toArray();
        $idpMetadataArray = $idpMetadata->toArray();
 
        /* Save the IdP in the state array. */
        $state['saml:sp:IdP'] = $idp;
        $state['PersistentAuthData'][] = 'saml:sp:IdP';
 
        $authProcState = array(
            'saml:sp:IdP' => $idp,
            'saml:sp:State' => $state,
            'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
 
            'Attributes' => $attributes,
            'Destination' => $spMetadataArray,
            'Source' => $idpMetadataArray,
        );
 
        if (isset($state['saml:sp:NameID'])) {
            $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
        }
        if (isset($state['saml:sp:SessionIndex'])) {
            $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
        }
 
        $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
        $pc->processState($authProcState);
 
        self::onProcessingCompleted($authProcState);
    }

References $attributes, $idp, $idpMetadata, $state, and onProcessingCompleted().

Here is the call graph for this function:

◆ handleUnsolicitedAuth()

static sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth	(		$authId,
		array	$state,
			$redirectTo
	)

static

Handle an unsolicited login operations.

This method creates a session from the information received. It will then redirect to the given URL. This is used to handle IdP initiated SSO. This method will never return.

Parameters

string	$authId	The id of the authentication source that received the request.
array	$state	A state array.
string	$redirectTo	The URL we should redirect the user to after updating the session. The function will check if the URL is allowed, so there is no need to manually check the URL on beforehand. Please refer to the 'trusted.url.domains' configuration directive for more information about allowing (or disallowing) URLs.

Definition at line 758 of file SP.php.

    {
        assert(is_string($authId));
        assert(is_string($redirectTo));
 
        $session = SimpleSAML_Session::getSessionFromRequest();
        $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
 
        \SimpleSAML\Utils\HTTP::redirectUntrustedURL($redirectTo);
    }

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Utils\HTTP\redirectUntrustedURL().

Referenced by SimpleSAML_Auth_Default\handleUnsolicitedAuth(), and onProcessingCompleted().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ logout()

sspmod_saml_Auth_Source_SP::logout ( & $state )

Start logout operation.

Parameters

array $state The logout state.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 667 of file SP.php.

    {
        assert(is_array($state));
        assert(array_key_exists('saml:logout:Type', $state));
 
        $logoutType = $state['saml:logout:Type'];
        switch ($logoutType) {
        case 'saml1':
            /* Nothing to do. */
            return;
        case 'saml2':
            $this->startSLO2($state);
            return;
        default:
            /* Should never happen. */
            assert(false);
        }
    }

References $state, and startSLO2().

Here is the call graph for this function:

◆ onProcessingCompleted()

static sspmod_saml_Auth_Source_SP::onProcessingCompleted ( array $authProcState )

static

Called when we have completed the procssing chain.

Parameters

array $authProcState The processing chain state.

Definition at line 774 of file SP.php.

    {
        assert(array_key_exists('saml:sp:IdP', $authProcState));
        assert(array_key_exists('saml:sp:State', $authProcState));
        assert(array_key_exists('Attributes', $authProcState));
 
        $idp = $authProcState['saml:sp:IdP'];
        $state = $authProcState['saml:sp:State'];
 
        $sourceId = $state['saml:sp:AuthId'];
        $source = SimpleSAML_Auth_Source::getById($sourceId);
        if ($source === null) {
            throw new Exception('Could not find authentication source with id ' . $sourceId);
        }
 
        /* Register a callback that we can call if we receive a logout request from the IdP. */
        $source->addLogoutCallback($idp, $state);
 
        $state['Attributes'] = $authProcState['Attributes'];
 
        if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
            if (!empty($state['saml:sp:RelayState'])) {
                $redirectTo = $state['saml:sp:RelayState'];
            } else {
                $redirectTo = $source->getMetadata()->getString('RelayState', '/');
            }
            self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
        }
 
        SimpleSAML_Auth_Source::completeAuth($state);
    }

References $idp, $source, $sourceId, $state, SimpleSAML_Auth_Source\completeAuth(), SimpleSAML_Auth_Source\getById(), and handleUnsolicitedAuth().

Referenced by handleResponse().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ reauthenticate()

sspmod_saml_Auth_Source_SP::reauthenticate ( array & $state )

Re-authenticate an user.

This function is called by the IdP to give the authentication source a chance to interact with the user even in the case when the user is already authenticated.

Parameters

array &$state Information about the current authentication.

Reimplemented from SimpleSAML_Auth_Source.

Definition at line 444 of file SP.php.

    {
        assert(is_array($state));
 
        $session = SimpleSAML_Session::getSessionFromRequest();
        $data = $session->getAuthState($this->authId);
        foreach ($data as $k => $v) {
            $state[$k] = $v;
        }
 
        // check if we have an IDPList specified in the request
        if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
            !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
        {
            /*
             * The user has an existing, valid session. However, the SP
             * provided a list of IdPs it accepts for authentication, and
             * the IdP the existing session is related to is not in that list.
             *
             * First, check if we recognize any of the IdPs requested.
             */
 
            $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
            $known_idps = $mdh->getList();
            $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
            if (empty($intersection)) {
                // all requested IdPs are unknown
                throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
                    \SAML2\Constants::STATUS_REQUESTER,
                    'None of the IdPs requested are supported by this proxy.'
                );
            }
 
            /*
             * We have at least one IdP in the IDPList that we recognize, and
             * it's not the one currently in use. Let's see if this proxy
             * enforces the use of one single IdP.
             */
            if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) {
                // an IdP is enforced but not requested
                throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
                    \SAML2\Constants::STATUS_REQUESTER,
                    'None of the IdPs requested are available to this proxy.'
                );
            }
 
            /*
             * We need to inform the user, and ask whether we should logout before
             * starting the authentication process again with a different IdP, or
             * cancel the current SSO attempt.
             */
            SimpleSAML\Logger::warning(
                "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
                "provided by the Service Provider '${state['core:SP']}'."
            );
 
            $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
            $state['saml:sp:AuthId'] = $this->authId;
            self::askForIdPChange($state);
        }
    }

References SimpleSAML_Auth_Source\$authId, $data, $mdh, $session, $state, askForIdPChange(), getIdPMetadata(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Logger\warning().

Here is the call graph for this function:

◆ reauthLogout()

static sspmod_saml_Auth_Source_SP::reauthLogout ( array $state )

static

Log the user out before logging in again.

This method will never return.

Parameters

array $state The state array.

Definition at line 556 of file SP.php.

    {
        SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
 
        if (isset($state['Responder'])) {
            $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
        }
        $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
 
        $idp = SimpleSAML_IdP::getByState($state);
        $idp->handleLogoutRequest($state, null);
        assert(false);
    }

References $idp, $state, SimpleSAML\Logger\debug(), and SimpleSAML_IdP\getByState().

Here is the call graph for this function:

◆ reauthPostLogin()

static sspmod_saml_Auth_Source_SP::reauthPostLogin ( array $state )

static

Complete login operation after re-authenticating the user on another IdP.

Parameters

array $state The authentication state.

Definition at line 575 of file SP.php.

    {
        assert(isset($state['ReturnCallback']));
 
        // Update session state
        $session = SimpleSAML_Session::getSessionFromRequest();
        $authId = $state['saml:sp:AuthId'];
        $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
 
        // resume the login process
        call_user_func($state['ReturnCallback'], $state);
        assert(false);
    }

References SimpleSAML_Auth_Source\$authId, $session, $state, SimpleSAML_Auth_State\getPersistentAuthData(), and SimpleSAML_Session\getSessionFromRequest().

Here is the call graph for this function:

◆ sendSAML2AuthnRequest()

sspmod_saml_Auth_Source_SP::sendSAML2AuthnRequest	(	array &	$state,
		\SAML2\Binding	$binding,
		\SAML2\AuthnRequest	$ar
	)

Function to actually send the authentication request.

This function does not return.

Parameters

array	&$state	The state array.
\SAML2\Binding	$binding	The binding.
\SAML2\AuthnRequest	$ar	The authentication request.

Definition at line 313 of file SP.php.

    {
        $binding->send($ar);
        assert(false);
    }

References $binding.

Referenced by startSSO2().

Here is the caller graph for this function:

◆ startDisco()

sspmod_saml_Auth_Source_SP::startDisco ( array $state )

private

Start an IdP discovery service operation.

Parameters

array $state The state array.

Definition at line 350 of file SP.php.

    {
        $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
 
        $discoURL = $this->discoURL;
        if ($discoURL === null) {
            /* Fallback to internal discovery service. */
            $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
        }
 
        $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
 
        $params = array(
            'entityID' => $this->entityId,
            'return' => $returnTo,
            'returnIDParam' => 'idpentityid'
        );
 
        if(isset($state['saml:IDPList'])) {
            $params['IDPList'] = $state['saml:IDPList'];
        }
 
        if (isset($state['isPassive']) && $state['isPassive']) {
            $params['isPassive'] = 'true';
        }
 
        \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
    }

References $discoURL, $id, PHPMailer\PHPMailer\$params, $returnTo, $state, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by authenticate().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSLO2()

sspmod_saml_Auth_Source_SP::startSLO2 ( & $state )

Start a SAML 2 logout operation.

Parameters

array $state The logout state.

Definition at line 619 of file SP.php.

    {
        assert(is_array($state));
        assert(array_key_exists('saml:logout:IdP', $state));
        assert(array_key_exists('saml:logout:NameID', $state));
        assert(array_key_exists('saml:logout:SessionIndex', $state));
 
        $id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
 
        $idp = $state['saml:logout:IdP'];
        $nameId = $state['saml:logout:NameID'];
        $sessionIndex = $state['saml:logout:SessionIndex'];
 
        $idpMetadata = $this->getIdPMetadata($idp);
 
        $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
            \SAML2\Constants::BINDING_HTTP_REDIRECT,
            \SAML2\Constants::BINDING_HTTP_POST), false);
        if ($endpoint === false) {
            SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, true) . '.');
            return;
        }
 
        $lr = sspmod_saml_Message::buildLogoutRequest($this->metadata, $idpMetadata);
        $lr->setNameId($nameId);
        $lr->setSessionIndex($sessionIndex);
        $lr->setRelayState($id);
        $lr->setDestination($endpoint['Location']);
 
        $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', null);
        if ($encryptNameId === null) {
            $encryptNameId = $this->metadata->getBoolean('nameid.encryption', false);
        }
        if ($encryptNameId) {
            $lr->encryptNameId(sspmod_saml_Message::getEncryptionKey($idpMetadata));
        }
 
        $b = \SAML2\Binding::getBinding($endpoint['Binding']);
        $b->send($lr);
 
        assert(false);
    }

References $encryptNameId, $endpoint, $id, $idp, $idpMetadata, $lr, $nameId, $sessionIndex, $state, sspmod_saml_Message\buildLogoutRequest(), SAML2\Binding\getBinding(), sspmod_saml_Message\getEncryptionKey(), getIdPMetadata(), SimpleSAML\Logger\info(), and SimpleSAML_Auth_State\saveState().

Referenced by logout().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSSO()

sspmod_saml_Auth_Source_SP::startSSO	(		$idp,
		array	$state
	)

Send a SSO request to an IdP.

Parameters

string	$idp	The entity ID of the IdP.
array	$state	The state array for the current authentication.

Definition at line 325 of file SP.php.

    {
        assert(is_string($idp));
 
        $idpMetadata = $this->getIdPMetadata($idp);
 
        $type = $idpMetadata->getString('metadata-set');
        switch ($type) {
        case 'shib13-idp-remote':
            $this->startSSO1($idpMetadata, $state);
            assert(false); /* Should not return. */
        case 'saml20-idp-remote':
            $this->startSSO2($idpMetadata, $state);
            assert(false); /* Should not return. */
        default:
            /* Should only be one of the known types. */
            assert(false);
        }
    }

References $idp, $idpMetadata, $type, getIdPMetadata(), startSSO1(), and startSSO2().

Referenced by authenticate().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSSO1()

sspmod_saml_Auth_Source_SP::startSSO1	(	SimpleSAML_Configuration	$idpMetadata,
		array	$state
	)

private

Send a SAML1 SSO request to an IdP.

Parameters

SimpleSAML_Configuration	$idpMetadata	The metadata of the IdP.
array	$state	The state array for the current authentication.

Definition at line 141 of file SP.php.

    {
        $idpEntityId = $idpMetadata->getString('entityid');
 
        $state['saml:idp'] = $idpEntityId;
 
        $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
        $ar->setIssuer($this->entityId);
 
        $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
        $ar->setRelayState($id);
 
        $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', null);
        if ($useArtifact === null) {
            $useArtifact = $this->metadata->getBoolean('saml1.useartifact', false);
        }
 
        if ($useArtifact) {
            $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
        } else {
            $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
        }
 
        $url = $ar->createRedirect($idpEntityId, $shire);
 
        SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, true) .
            ' from ' . var_export($this->entityId, true) . '.');
        \SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
    }

References $id, $idpEntityId, $idpMetadata, $state, $url, SimpleSAML\Logger\debug(), SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by startSSO().

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSSO2()

sspmod_saml_Auth_Source_SP::startSSO2	(	SimpleSAML_Configuration	$idpMetadata,
		array	$state
	)

private

Send a SAML2 SSO request to an IdP.

Parameters

SimpleSAML_Configuration	$idpMetadata	The metadata of the IdP.
array	$state	The state array for the current authentication.

Definition at line 177 of file SP.php.

    {
        if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
            SimpleSAML_Auth_State::throwException(
                $state,
                new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
            );
        }
 
        $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata);
 
                // ilias-patch: begin
                // see: https://bugs.launchpad.net/mahara/+bug/1689685
                // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
                //$ar->setAssertionConsumerServiceURL(SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
                $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
                // ilias-patch: end
 
        if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
            $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
        }
 
        if (isset($state['saml:AuthnContextClassRef'])) {
            $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
            $comp = SAML2\Constants::COMPARISON_EXACT;
            if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
                        SAML2\Constants::COMPARISON_EXACT,
                        SAML2\Constants::COMPARISON_MINIMUM,
                        SAML2\Constants::COMPARISON_MAXIMUM,
                        SAML2\Constants::COMPARISON_BETTER,
            ), true)) {
                $comp = $state['saml:AuthnContextComparison'];
            }
            $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
        }
 
        if (isset($state['ForceAuthn'])) {
            $ar->setForceAuthn((bool)$state['ForceAuthn']);
        }
 
        if (isset($state['isPassive'])) {
            $ar->setIsPassive((bool)$state['isPassive']);
        }
 
        if (isset($state['saml:NameID'])) {
            if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
                throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
            }
            $ar->setNameId($state['saml:NameID']);
        }
 
        if (isset($state['saml:NameIDPolicy'])) {
            if (is_string($state['saml:NameIDPolicy'])) {
                $policy = array(
                    'Format' => (string)$state['saml:NameIDPolicy'],
                    'AllowCreate' => true,
                );
            } elseif (is_array($state['saml:NameIDPolicy'])) {
                $policy = $state['saml:NameIDPolicy'];
            } else {
                throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
            }
            $ar->setNameIdPolicy($policy);
        }
 
        if (isset($state['saml:IDPList'])) {
            $IDPList = $state['saml:IDPList'];
        } else {
            $IDPList = array();
        }
 
        $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()), 
                                                $idpMetadata->getArray('IDPList', array()),
                                                (array) $IDPList)));
 
        if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
            $ar->setProxyCount($state['saml:ProxyCount']);
        } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
            $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
        } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
            $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
        }
 
        $requesterID = array();
        if (isset($state['saml:RequesterID'])) {
            $requesterID = $state['saml:RequesterID'];
        }
 
        if (isset($state['core:SP'])) {
            $requesterID[] = $state['core:SP'];
        }
 
        $ar->setRequesterID($requesterID);
 
        if (isset($state['saml:Extensions'])) {
            $ar->setExtensions($state['saml:Extensions']);
        }
 
        // save IdP entity ID as part of the state
        $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
 
        $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', true);
        $ar->setId($id);
 
        SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' .
            var_export($idpMetadata->getString('entityid'), true));
 
        /* Select appropriate SSO endpoint */
        if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
            $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
                \SAML2\Constants::BINDING_HOK_SSO)
            );
        } else {
            $dst = $idpMetadata->getEndpointPrioritizedByBinding('SingleSignOnService', [
                \SAML2\Constants::BINDING_HTTP_REDIRECT,
                \SAML2\Constants::BINDING_HTTP_POST,
            ]);
        }
        $ar->setDestination($dst['Location']);
 
        $b = \SAML2\Binding::getBinding($dst['Binding']);
 
        $this->sendSAML2AuthnRequest($state, $b, $ar);
 
        assert(false);
    }

References $dst, $id, $idpMetadata, $state, SimpleSAML\Utils\Arrays\arrayize(), sspmod_saml_Message\buildAuthnRequest(), SAML2\Constants\COMPARISON_EXACT, SimpleSAML\Logger\debug(), SAML2\Binding\getBinding(), SimpleSAML_Auth_State\saveState(), sendSAML2AuthnRequest(), and SimpleSAML_Auth_State\throwException().

Referenced by startSSO().

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

◆ $discoURL

sspmod_saml_Auth_Source_SP::$discoURL

private

Definition at line 31 of file SP.php.

Referenced by startDisco().

◆ $entityId

sspmod_saml_Auth_Source_SP::$entityId

private

Definition at line 10 of file SP.php.

Referenced by getEntityId(), and getIdPMetadata().

◆ $idp

sspmod_saml_Auth_Source_SP::$idp

private

Definition at line 24 of file SP.php.

Referenced by authenticate(), handleResponse(), onProcessingCompleted(), reauthLogout(), startSLO2(), and startSSO().

◆ $metadata

sspmod_saml_Auth_Source_SP::$metadata

private

Definition at line 17 of file SP.php.

Referenced by getMetadata().

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Auth/Source/SP.php

Public Member Functions

Static Public Member Functions

Private Member Functions

Private Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ askForIdPChange()

◆ authenticate()

◆ getEntityId()

◆ getIdPMetadata()

◆ getMetadata()

◆ getMetadataURL()

◆ handleLogout()

◆ handleResponse()

◆ handleUnsolicitedAuth()

◆ logout()

◆ onProcessingCompleted()

◆ reauthenticate()

◆ reauthLogout()

◆ reauthPostLogin()

◆ sendSAML2AuthnRequest()

◆ startDisco()

◆ startSLO2()

◆ startSSO()

◆ startSSO1()

◆ startSSO2()

Field Documentation

◆ $discoURL

◆ $entityId

◆ $idp

◆ $metadata